New Features in EPPB

April 5th, 2012 by Andrey Belenko

When it comes to adding new features to our products we try to focus on our customers’ needs and it is my pleasure today to announce a preview (or beta) version of our Phone Password Breaker tool with new features requested (or inspired) by our valued customers users

Here’s the wrap-up of new features.

Ability to Decrypt Files from BlackBerry SD Card

EPPB can now decrypt .rem files from BlackBerry SD cards. Depending on media card encryption settings you may be asked to provide BB device password, BB dump (chip-off or physical), or both:

For SD cards encrypted using “Device key” option a device dump will be required;

For SD cards encrypted using “Device password” option a device password will be required (don’t forget that you can recover device password for SD cards utilizing this type of encryption using Professional Edition of EPPB);

For SD cards encrypted using “Device key and device password” both dump and password will be required.

Decryption process is fast and simple:

Choose File – BlackBerry – Decrypt SD card

Select directory which is the root of SD card you’re trying to decrypt

Provide device dump and/or device password when requested

Select files to decrypt

Choose output directory

Watch files being decrypted

Improved iOS Keychain Explorer

EPPB can now display contents of iOS keychain even from backups that are not password-protected (not encrypted). This, however, will require you to provide so-called securityd key (also known as key 0x835 or key 2101) of the device used to produce the backup. You can acquire this key from the device by using our iOS Forensic Toolkit or by using other tools. As soon as you’ve got the key, open Keychain Explorer in EPPB (File – Apple – Keychain Explorer) and select your unencrypted backup. You will be then prompted for a device key — you can enter it in either hex or base64-encoded form. Once you provide the key, EPPB will display the keychain contents.

Users of iOS Forensic Toolkit can easily find this securityd key in a file that is produced during “GET KEYS” step (keys.plist): open file using any text editor (or property list editor if you’re on Mac) and locate a value corresponding to key “2101” in “DerivedKeys” section. Typically this would be the first value in a file, located on or around line 9.

You may be asking why bother with decrypting keychain if we already have a device and iOS Forensic Toolkit can perform its physical acquisition? Well, keychain from the backup may contain information that has been already wiped from the device (i.e. if user has performed wipe or restore on the device). The great thing about securityd key is that it is constant for the lifetime of the device, meaning having this key will allow you to decrypt all past, current, and future iOS keychains from the (unencrypted) backups.

Support for UFED Keyfiles for Decryption of iOS User Partitions

Last but not least, we have updated EPPB to accept UFED keyfiles (.UFD) and decrypt iOS user partition images, so you can now decrypt image and load/analyze it outside of UFED environment.

Updated version of EPPB (version 1.83) is now available as a beta version (you can download a full MSI installer here, or just an updated .exe file here). If new features sound like something you need — please, give it a try. As always, we’d love to hear back from you, and the easiest way to reach us is to use Help – Send feedback menu in the EPPB — this will create an email that will land right in my inbox.

As a final note, I would like to thank our customers. Those new features were added based on your feedback/requests/suggestions, and we really hope they will make your job easier. Thanks for choosing us!

We’re working hard on improving the product and adding new valuable features to it, and I’m sure you won’t be disappointed with what is coming next!

This entry was posted
on Thursday, April 5th, 2012 at 3:54 pm and is filed under Elcom-News, General, Security, Software.
You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.